Bug 15603 - Regression(r26847): Crash when sorting an empty array from JavaScript
Summary: Regression(r26847): Crash when sorting an empty array from JavaScript
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac OS X 10.4
: P1 Normal
Assignee: Nobody
URL: http://slashdot.org/firehose.pl
Keywords: HasReduction, Regression
Depends on:
Blocks:
 
Reported: 2007-10-21 18:47 PDT by John Moe
Modified: 2007-10-21 22:55 PDT (History)
5 users (show)

See Also:


Attachments
Patch (2.71 KB, patch)
2007-10-21 22:39 PDT, Mark Rowe (bdash)
mitz: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description John Moe 2007-10-21 18:47:38 PDT
revision 26855 going to the url

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x8bd8459d

Thread 0 Crashed:
0   com.apple.JavaScriptCore 	0x004a6e59 WTF::fastFree(void*) + 69 (FastMalloc.cpp:2083)
1   com.apple.JavaScriptCore 	0x004cc2d9 KJS::ArrayInstance::sort(KJS::ExecState*, KJS::JSObject*) + 319 (array_object.cpp:462)
2   com.apple.JavaScriptCore 	0x004d85a2 KJS::ArrayProtoFunc::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 14572 (array_object.cpp:787)
3   com.apple.JavaScriptCore 	0x004ed4ba KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 864 (object.cpp:95)
4   com.apple.JavaScriptCore 	0x004ead53 KJS::ExprStatementNode::execute(KJS::ExecState*) + 89 (nodes.cpp:1772)
5   com.apple.JavaScriptCore 	0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595)
6   com.apple.JavaScriptCore 	0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753)
7   com.apple.JavaScriptCore 	0x004a32e0 KJS::FunctionImp::execute(KJS::ExecState*) + 28 (function.cpp:266)
8   com.apple.JavaScriptCore 	0x004f6b19 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 483 (function.cpp:94)
9   com.apple.JavaScriptCore 	0x004ed4ba KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 864 (object.cpp:95)
10  com.apple.JavaScriptCore 	0x004ead53 KJS::ExprStatementNode::execute(KJS::ExecState*) + 89 (nodes.cpp:1772)
11  com.apple.JavaScriptCore 	0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595)
12  com.apple.JavaScriptCore 	0x004a276e KJS::BlockNode::execute(KJS::ExecState*) + 28 (nodes.cpp:1753)
13  com.apple.JavaScriptCore 	0x004eacc1 KJS::IfNode::execute(KJS::ExecState*) + 329 (nodes.cpp:1790)
14  com.apple.JavaScriptCore 	0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595)
15  com.apple.JavaScriptCore 	0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753)
16  com.apple.JavaScriptCore 	0x004a32e0 KJS::FunctionImp::execute(KJS::ExecState*) + 28 (function.cpp:266)
17  com.apple.JavaScriptCore 	0x004f6b19 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 483 (function.cpp:94)
18  com.apple.JavaScriptCore 	0x004ed4ba KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 864 (object.cpp:95)
19  com.apple.JavaScriptCore 	0x004ead53 KJS::ExprStatementNode::execute(KJS::ExecState*) + 89 (nodes.cpp:1772)
20  com.apple.JavaScriptCore 	0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595)
21  com.apple.JavaScriptCore 	0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753)
22  com.apple.JavaScriptCore 	0x004a32e0 KJS::FunctionImp::execute(KJS::ExecState*) + 28 (function.cpp:266)
23  com.apple.JavaScriptCore 	0x004f6b19 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 483 (function.cpp:94)
24  com.apple.JavaScriptCore 	0x004ed4ba KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 864 (object.cpp:95)
25  com.apple.JavaScriptCore 	0x004ead53 KJS::ExprStatementNode::execute(KJS::ExecState*) + 89 (nodes.cpp:1772)
26  com.apple.JavaScriptCore 	0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595)
27  com.apple.JavaScriptCore 	0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753)
28  com.apple.JavaScriptCore 	0x004a32e0 KJS::FunctionImp::execute(KJS::ExecState*) + 28 (function.cpp:266)
29  com.apple.JavaScriptCore 	0x004f6b19 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 483 (function.cpp:94)
30  com.apple.JavaScriptCore 	0x004e01a3 KJS::FunctionImp::construct(KJS::ExecState*, KJS::List const&) + 297 (object.cpp:95)
31  com.apple.JavaScriptCore 	0x004ec35c KJS::NewExprNode::evaluate(KJS::ExecState*) + 1198 (nodes.cpp:625)
32  com.apple.JavaScriptCore 	0x004ebcc8 KJS::ArgumentListNode::evaluateList(KJS::ExecState*) + 146 (nodes.cpp:581)
33  com.apple.JavaScriptCore 	0x004ebf9c KJS::NewExprNode::evaluate(KJS::ExecState*) + 238 (nodes.h:393)
34  com.apple.JavaScriptCore 	0x004e9482 KJS::ReturnNode::execute(KJS::ExecState*) + 160 (nodes.cpp:2127)
35  com.apple.JavaScriptCore 	0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595)
36  com.apple.JavaScriptCore 	0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753)
37  com.apple.JavaScriptCore 	0x004a32e0 KJS::FunctionImp::execute(KJS::ExecState*) + 28 (function.cpp:266)
38  com.apple.JavaScriptCore 	0x004f6b19 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 483 (function.cpp:94)
39  com.apple.JavaScriptCore 	0x004ed4ba KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 864 (object.cpp:95)
40  com.apple.JavaScriptCore 	0x004ef4e4 KJS::AssignResolveNode::evaluate(KJS::ExecState*) + 152 (nodes.cpp:1461)
41  com.apple.JavaScriptCore 	0x004ead53 KJS::ExprStatementNode::execute(KJS::ExecState*) + 89 (nodes.cpp:1772)
42  com.apple.JavaScriptCore 	0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595)
43  com.apple.JavaScriptCore 	0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753)
44  com.apple.JavaScriptCore 	0x004a32e0 KJS::FunctionImp::execute(KJS::ExecState*) + 28 (function.cpp:266)
45  com.apple.JavaScriptCore 	0x004f6b19 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 483 (function.cpp:94)
46  com.apple.JavaScriptCore 	0x004ec9b9 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 885 (object.cpp:95)
47  com.apple.JavaScriptCore 	0x004ead53 KJS::ExprStatementNode::execute(KJS::ExecState*) + 89 (nodes.cpp:1772)
48  com.apple.JavaScriptCore 	0x004e8c3f KJS::SourceElementsNode::execute(KJS::ExecState*) + 115 (nodes.cpp:2595)
49  com.apple.JavaScriptCore 	0x004feb99 KJS::FunctionBodyNode::execute(KJS::ExecState*) + 367 (nodes.cpp:1753)
50  com.apple.JavaScriptCore 	0x004f9434 KJS::Interpreter::evaluate(KJS::UString const&, int, KJS::UChar const*, int, KJS::JSValue*) + 1158 (interpreter.cpp:366)
51  com.apple.WebCore        	0x011ff993 WebCore::KJSProxy::evaluate(WebCore::String const&, int, WebCore::String const&) + 195 (kjs_proxy.cpp:87)
52  com.apple.WebCore        	0x01367e06 WebCore::FrameLoader::executeScript(WebCore::String const&, int, WebCore::String const&) + 68 (FrameLoader.cpp:761)
53  com.apple.WebCore        	0x0101bf85 WebCore::HTMLTokenizer::scriptExecution(WebCore::DeprecatedString const&, WebCore::HTMLTokenizer::State, WebCore::DeprecatedString, int) + 349 (RefPtr.h:41)
54  com.apple.WebCore        	0x0101cde3 WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State) + 2071 (HTMLTokenizer.cpp:470)
55  com.apple.WebCore        	0x0101d4a9 WebCore::HTMLTokenizer::parseSpecial(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 1541 (HTMLTokenizer.cpp:319)
56  com.apple.WebCore        	0x0101ef21 WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString&, WebCore::HTMLTokenizer::State) + 6603 (HTMLTokenizer.cpp:1278)
57  com.apple.WebCore        	0x0101fb56 WebCore::HTMLTokenizer::write(WebCore::SegmentedString const&, bool) + 1626 (HTMLTokenizer.cpp:1449)
58  com.apple.WebCore        	0x0101c439 WebCore::HTMLTokenizer::notifyFinished(WebCore::CachedResource*) + 743 (DeprecatedValueList.h:89)
59  com.apple.WebCore        	0x010e95ff WebCore::CachedScript::checkNotify() + 59 (CachedScript.cpp:92)
60  com.apple.WebCore        	0x010e9929 WebCore::CachedScript::data(WTF::PassRefPtr<WebCore::SharedBuffer>, bool) + 249 (CachedScript.cpp:84)
61  com.apple.WebCore        	0x010ebfa6 WebCore::Loader::didFinishLoading(WebCore::SubresourceLoader*) + 352 (PassRefPtr.h:45)
62  com.apple.WebCore        	0x01375534 WebCore::SubresourceLoader::didFinishLoading() + 50 (RefPtr.h:103)
63  com.apple.WebCore        	0x01347090 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 68 (ResourceHandleMac.mm:456)
64  com.apple.Foundation     	0x9285ad74 -[NSURLConnection(NSURLConnectionInternal) _sendDidFinishLoadingCallback] + 176
65  com.apple.Foundation     	0x92858e19 -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] + 748
66  com.apple.Foundation     	0x92858ab5 _sendCallbacks + 201
67  com.apple.CoreFoundation 	0x9082cf92 CFRunLoopRunSpecific + 1213
68  com.apple.CoreFoundation 	0x9082cace CFRunLoopRunInMode + 61
69  com.apple.HIToolbox      	0x92de28d8 RunCurrentEventLoopInMode + 285
70  com.apple.HIToolbox      	0x92de1fe2 ReceiveNextEventCommon + 385
71  com.apple.HIToolbox      	0x92de1e39 BlockUntilNextEventMatchingListInMode + 81
72  com.apple.AppKit         	0x93288465 _DPSNextEvent + 572
73  com.apple.AppKit         	0x93288056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137
74  com.apple.Safari         	0x00005ff4 0x1000 + 20468
75  com.apple.AppKit         	0x93281ddb -[NSApplication run] + 512
76  com.apple.AppKit         	0x93275d2f NSApplicationMain + 573
77  com.apple.Safari         	0x00002302 0x1000 + 4866
78  com.apple.Safari         	0x00048ef1 0x1000 + 294641
Comment 1 Matt Lilek 2007-10-21 19:08:23 PDT
I don't see a crash, but this is printed to the console:

Safari(27527,0xa000d000) malloc: ***  Deallocation of a pointer not malloced: 0xfffffff8; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug
Safari(27527,0xa000d000) malloc: ***  Deallocation of a pointer not malloced: 0xfffffff8; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug
Safari(27527,0xa000d000) malloc: ***  Deallocation of a pointer not malloced: 0xfffffff8; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug
Safari(27527,0xa000d000) malloc: ***  Deallocation of a pointer not malloced: 0xfffffff8; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug
Comment 2 Mark Rowe (bdash) 2007-10-21 20:46:59 PDT
Sounds like Matt was using a debug build.  FastMalloc is a lot less forgiving on double-frees and the like than the system allocator used in release builds.
Comment 3 Mark Rowe (bdash) 2007-10-21 20:51:05 PDT
I don't see a crash with a recent release build, but I do get the following errors that indicate something bad is happening in malloc-land:

22/10/07 13:48:28 Safari[62662] ERROR: free is not supported 
22/10/07 13:48:28 Safari[62662] (JavaScriptCore/kjs/CollectorHeapIntrospector.h:56 static void KJS::CollectorHeapIntrospector::zoneFree(malloc_zone_t*, void*))
Comment 4 Mark Rowe (bdash) 2007-10-21 21:02:02 PDT
Reduction is simple:

[].sort()

This looks to have been introduced by Darin's change to arrays yesterday.
Comment 5 John Moe 2007-10-21 21:29:47 PDT
simple reduction.  simple fix (array_object.cpp line 66):

static inline void freeStorage(JSValue** storage)
{
  if (storage)   // <-- add this check
     fastFree(storage - 2);
}

Comment 6 Mark Rowe (bdash) 2007-10-21 21:48:31 PDT
That looks like a correct fix as the null-check in freeStorage was removed in r26847.  Care to attach a patch with ChangeLog entry John?
Comment 7 Mark Rowe (bdash) 2007-10-21 22:00:48 PDT
And a test case, of course :)
Comment 8 John Moe 2007-10-21 22:12:04 PDT
No thanks. I am happy to just complain about bugs and leave patch/test case creation to the pros.
Comment 9 Mark Rowe (bdash) 2007-10-21 22:39:25 PDT
Created attachment 16783 [details]
Patch
Comment 10 mitz 2007-10-21 22:50:10 PDT
Comment on attachment 16783 [details]
Patch

r=me
Comment 11 Mark Rowe (bdash) 2007-10-21 22:55:41 PDT
Landed in r26862.